A recent CJEU finding on mass surveillance creates more uncertainty with regard the UK's chances of an adequacy decision. We explain what the case is about and its potential impact on adequacy.
There have been two important CJEU decisions recently affecting the UK's future data relationship with the EU. The first was Schrems II, details of which can be found in our earlier briefing. The second landed on 6 October 2020 in a case brought by Privacy International - a UK-based charity that defends and promotes the right to privacy - against the UK government.
In the Privacy International case, the CJEU looked at whether the E-Privacy Directive, applied in the UK via the Privacy and Electronic Communications Regulations to regulate the collection and use of e-comms data, precludes national surveillance laws such as the Regulation of Investigatory Powers Act, from requiring electronic communication service providers to carry out the general and indiscriminate transmission or retention of traffic and location data for the purpose of combating crime in general or of safeguarding national security. The court found that it did, and that EU privacy laws, such as the Directive and the GDPR, cannot be overridden by national security agencies to allow for regular bulk data collection.
One of the largest operational impacts Brexit may have on UK organisations is in relation to their processing of EU citizens' personal data, once the transition period comes to an end, which can only be lawfully transferred from the EEA to the UK if the UK is judged to have adequate data protection standards, or failing which, by using a GDPR mandated safeguarding mechanism or derogation. An adequacy decision – by far the most convenient route for personal data to be transferred to the UK, is keenly awaited by EEA and UK based controllers and processors but by no means guaranteed. It has long been suggested that the UK's surveillance regime might present an obstacle to such a decision materialising.
This CJEU ruling - at this stage in the transition period – effectively declaring UK legislation on this type of processing of data is incompatible with European law, has no direct effect on an adequacy decision, but exacerbates that argument even more. The announcement last week that the UK should be ready for a no-deal Brexit does not help either.
In such a climate, UK based businesses should consider the implementation of available fallback mechanisms particularly in relation to their key data flows from the EEA. The most appropriate fall back mechanism for many, despite Schrems II, is still likely to be standard contractual clauses. However the decision in Schrems II means that the use of such clauses is not altogether straightforward either, and the decision of the CJEU about the UK's surveillance laws potentially creates difficulties for controllers which must follow the requirement in Schrems II to not only assess the data importer's own security measures and circumstances, but the wider data protection regime of the destination country as well.
Further guidance about what organisations can do to address this is awaited from the European Data Protection Board, which oversees data protection authorities in the EU. A new, modernised set of standard contractual clauses which better reflects modern business practices, is also anticipated before the end of the year, though we do not have any precise timings yet. In the meantime, its a case of getting your ducks in a row as far as possible, so that you are ready to act quickly, if needs be, in a relatively short period of time, and if an adequacy decision does not materialise by the end of the transition period.
For bespoke guidance on this issue please contact the Commercial, IP & Technology team.